mirror of
https://github.com/ansible-collections/community.mysql.git
synced 2025-10-24 04:54:02 -07:00
add integration tests for subtract_privs for mysql_role and mysql_user
This commit is contained in:
parent
3dc21216cb
commit
aa0c779269
5 changed files with 312 additions and 0 deletions
|
@ -14,3 +14,4 @@ nonexistent: user3
|
|||
|
||||
role0: role0
|
||||
role1: role1
|
||||
role2: role2
|
||||
|
|
|
@ -5,3 +5,8 @@
|
|||
|
||||
# mysql_role module initial CI tests
|
||||
- import_tasks: mysql_role_initial.yml
|
||||
|
||||
# Test that subtract_privs will only revoke the grants given by priv
|
||||
# (https://github.com/ansible-collections/community.mysql/issues/331)
|
||||
- include: test_priv_subtract.yml enable_check_mode=no
|
||||
- include: test_priv_subtract.yml enable_check_mode=yes
|
||||
|
|
|
@ -0,0 +1,148 @@
|
|||
# Test code to ensure that subtracting privileges will not result in unnecessary changes.
|
||||
- vars:
|
||||
mysql_parameters: &mysql_params
|
||||
login_user: '{{ mysql_user }}'
|
||||
login_password: '{{ mysql_password }}'
|
||||
login_host: 127.0.0.1
|
||||
login_port: '{{ mysql_primary_port }}'
|
||||
|
||||
block:
|
||||
|
||||
- name: Create test databases
|
||||
mysql_db:
|
||||
<<: *mysql_params
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
loop:
|
||||
- data1
|
||||
|
||||
- name: Create a role with an initial set of privileges
|
||||
mysql_role:
|
||||
<<: *mysql_params
|
||||
name: '{{ role2 }}'
|
||||
priv: 'data1.*:SELECT,INSERT'
|
||||
state: present
|
||||
|
||||
- name: Run command to show privileges for role (expect privileges in stdout)
|
||||
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ role2 }}'\""
|
||||
register: result
|
||||
|
||||
- name: Assert that the initial set of privileges matches what is expected
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
|
||||
|
||||
- name: Subtract privileges that are not in the current privileges, which should be a no-op
|
||||
mysql_role:
|
||||
<<: *mysql_params
|
||||
name: '{{ role2 }}'
|
||||
priv: 'data1.*:DELETE'
|
||||
subtract_privs: yes
|
||||
state: present
|
||||
check_mode: '{{ enable_check_mode }}'
|
||||
register: result
|
||||
|
||||
- name: Assert that there wasn't a change in permissions
|
||||
assert:
|
||||
that:
|
||||
- "result.changed == false"
|
||||
|
||||
- name: Run command to show privileges for role (expect privileges in stdout)
|
||||
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ role2 }}'\""
|
||||
register: result
|
||||
|
||||
- name: Assert that the permissions still match what was originally granted
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
|
||||
|
||||
- name: Subtract existing and not-existing privileges, but not all
|
||||
mysql_role:
|
||||
<<: *mysql_params
|
||||
name: '{{ role2 }}'
|
||||
priv: 'data1.*:INSERT,DELETE'
|
||||
subtract_privs: yes
|
||||
state: present
|
||||
check_mode: '{{ enable_check_mode }}'
|
||||
register: result
|
||||
|
||||
- name: Assert that there was a change because permissions were/would be revoked on data1.*
|
||||
assert:
|
||||
that:
|
||||
- "result.changed == true"
|
||||
|
||||
- name: Run command to show privileges for role (expect privileges in stdout)
|
||||
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ role2 }}'\""
|
||||
register: result
|
||||
|
||||
- name: Assert that the permissions were not changed if check_mode is set to 'no'
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
|
||||
when: enable_check_mode == 'no'
|
||||
|
||||
- name: Assert that only DELETE was revoked if check_mode is set to 'yes'
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT ON `data1`.*' in result.stdout"
|
||||
when: enable_check_mode == 'yes'
|
||||
|
||||
- name: Try to subtract invalid privileges
|
||||
mysql_role:
|
||||
<<: *mysql_params
|
||||
name: '{{ role2 }}'
|
||||
priv: 'data1.*:INVALID'
|
||||
subtract_privs: yes
|
||||
state: present
|
||||
check_mode: '{{ enable_check_mode }}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: Assert that there wasn't a change in privileges if check_mode is set to 'no'
|
||||
assert:
|
||||
that:
|
||||
- result is failed
|
||||
- "'Error granting privileges' in result.msg"
|
||||
when: enable_check_mode == 'no'
|
||||
|
||||
- name: trigger failure by trying to subtract and append privileges at the same time
|
||||
mysql_role:
|
||||
<<: *mysql_params
|
||||
name: '{{ role2 }}'
|
||||
priv: 'data1.*:SELECT'
|
||||
subtract_privs: yes
|
||||
append_privs: yes
|
||||
state: present
|
||||
check_mode: '{{ enable_check_mode }}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: Assert the previous execution failed
|
||||
assert:
|
||||
that:
|
||||
- result is failed
|
||||
|
||||
- name: Run command to show privileges for role (expect privileges in stdout)
|
||||
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ role2 }}'\""
|
||||
register: result
|
||||
|
||||
- name: Assert that the permissions stayed the same
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT ON `data1`.*' in result.stdout"
|
||||
|
||||
##########
|
||||
# Clean up
|
||||
- name: Drop test databases
|
||||
mysql_db:
|
||||
<<: *mysql_params
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
loop:
|
||||
- data1
|
||||
|
||||
- name: Drop test role
|
||||
mysql_role:
|
||||
<<: *mysql_params
|
||||
name: '{{ role2 }}'
|
||||
state: absent
|
|
@ -274,6 +274,11 @@
|
|||
- include: test_priv_append.yml enable_check_mode=no
|
||||
- include: test_priv_append.yml enable_check_mode=yes
|
||||
|
||||
# Test that subtract_privs will only revoke the grants given by priv
|
||||
# (https://github.com/ansible-collections/community.mysql/issues/331)
|
||||
- include: test_priv_subtract.yml enable_check_mode=no
|
||||
- include: test_priv_subtract.yml enable_check_mode=yes
|
||||
|
||||
# Tests for the TLS requires dictionary
|
||||
- include: tls_requirements.yml
|
||||
|
||||
|
|
|
@ -0,0 +1,153 @@
|
|||
# Test code to ensure that subtracting privileges will not result in unnecessary changes.
|
||||
- vars:
|
||||
mysql_parameters: &mysql_params
|
||||
login_user: '{{ mysql_user }}'
|
||||
login_password: '{{ mysql_password }}'
|
||||
login_host: 127.0.0.1
|
||||
login_port: '{{ mysql_primary_port }}'
|
||||
|
||||
block:
|
||||
|
||||
- name: Create test databases
|
||||
mysql_db:
|
||||
<<: *mysql_params
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
loop:
|
||||
- data1
|
||||
|
||||
- name: Create a user with an initial set of privileges
|
||||
mysql_user:
|
||||
<<: *mysql_params
|
||||
name: '{{ user_name_4 }}'
|
||||
password: '{{ user_password_4 }}'
|
||||
priv: 'data1.*:SELECT,INSERT'
|
||||
state: present
|
||||
|
||||
- name: Run command to show privileges for user (expect privileges in stdout)
|
||||
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
|
||||
register: result
|
||||
|
||||
- name: Assert that the initial set of privileges matches what is expected
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
|
||||
|
||||
- name: Subtract privileges that are not in the current privileges, which should be a no-op
|
||||
mysql_user:
|
||||
<<: *mysql_params
|
||||
name: '{{ user_name_4 }}'
|
||||
password: '{{ user_password_4 }}'
|
||||
priv: 'data1.*:DELETE'
|
||||
subtract_privs: yes
|
||||
state: present
|
||||
check_mode: '{{ enable_check_mode }}'
|
||||
register: result
|
||||
|
||||
- name: Assert that there wasn't a change in permissions
|
||||
assert:
|
||||
that:
|
||||
- "result.changed == false"
|
||||
|
||||
- name: Run command to show privileges for user (expect privileges in stdout)
|
||||
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
|
||||
register: result
|
||||
|
||||
- name: Assert that the permissions still match what was originally granted
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
|
||||
|
||||
- name: Subtract existing and not-existing privileges, but not all
|
||||
mysql_user:
|
||||
<<: *mysql_params
|
||||
name: '{{ user_name_4 }}'
|
||||
password: '{{ user_password_4 }}'
|
||||
priv: 'data1.*:INSERT,DELETE'
|
||||
subtract_privs: yes
|
||||
state: present
|
||||
check_mode: '{{ enable_check_mode }}'
|
||||
register: result
|
||||
|
||||
- name: Assert that there was a change because permissions were/would be revoked on data1.*
|
||||
assert:
|
||||
that:
|
||||
- "result.changed == true"
|
||||
|
||||
- name: Run command to show privileges for user (expect privileges in stdout)
|
||||
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
|
||||
register: result
|
||||
|
||||
- name: Assert that the permissions were not changed if check_mode is set to 'no'
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
|
||||
when: enable_check_mode == 'no'
|
||||
|
||||
- name: Assert that only DELETE was revoked if check_mode is set to 'yes'
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT ON `data1`.*' in result.stdout"
|
||||
when: enable_check_mode == 'yes'
|
||||
|
||||
- name: Try to subtract invalid privileges
|
||||
mysql_user:
|
||||
<<: *mysql_params
|
||||
name: '{{ user_name_4 }}'
|
||||
password: '{{ user_password_4 }}'
|
||||
priv: 'data1.*:INVALID'
|
||||
subtract_privs: yes
|
||||
state: present
|
||||
check_mode: '{{ enable_check_mode }}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: Assert that there wasn't a change in privileges if check_mode is set to 'no'
|
||||
assert:
|
||||
that:
|
||||
- result is failed
|
||||
- "'Error granting privileges' in result.msg"
|
||||
when: enable_check_mode == 'no'
|
||||
|
||||
- name: trigger failure by trying to subtract and append privileges at the same time
|
||||
mysql_user:
|
||||
<<: *mysql_params
|
||||
name: '{{ user_name_4 }}'
|
||||
password: '{{ user_password_4 }}'
|
||||
priv: 'data1.*:SELECT'
|
||||
subtract_privs: yes
|
||||
append_privs: yes
|
||||
state: present
|
||||
check_mode: '{{ enable_check_mode }}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: Assert the previous execution failed
|
||||
assert:
|
||||
that:
|
||||
- result is failed
|
||||
|
||||
- name: Run command to show privileges for user (expect privileges in stdout)
|
||||
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
|
||||
register: result
|
||||
|
||||
- name: Assert that the permissions stayed the same
|
||||
assert:
|
||||
that:
|
||||
- "'GRANT SELECT ON `data1`.*' in result.stdout"
|
||||
|
||||
##########
|
||||
# Clean up
|
||||
- name: Drop test databases
|
||||
mysql_db:
|
||||
<<: *mysql_params
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
loop:
|
||||
- data1
|
||||
|
||||
- name: Drop test user
|
||||
mysql_user:
|
||||
<<: *mysql_params
|
||||
name: '{{ user_name_4 }}'
|
||||
state: absent
|
Loading…
Add table
Add a link
Reference in a new issue